CASB, castles in the air, and why surprises lurk within cloud data securityInformation Age spoke to Rajiv Gupta, the man who heads up cloud security business at McAfee. He told us why security professionals can react in horror to a surprising stat on how many cloud services organisations typically use, why they have enjoyed a road to Damascus moment regarding the cloud and security and what CASB has in common with castles in the air.
CASB — cloud access security broker — it’s the fastest growing security category ever — or so Gartner has claimed. And in the age of the cloud, in the age of data, security takes on a new level of importance but also complexity.
Take the castle
There was a time when security was about a castle. Medieval barons lived in them, and then as the computer age dawned, and computers evolved from mainframes to PCs, the castle became a metaphor: the moat, surrounding the walls to the bailey and within that, elevated on a mound: the keep. As the internet era dawned, hackers and security professionals talked about firewalls, maybe instead they should have referred to moats and keeps.
But in the data/cloud age, location is harder to define. The baron’s army rested, protected within the walls of the bailey. The PC was a specific device, something you could touch and see. These days data sits in the ether, on servers, scattered around the world. Security is no longer something that is specific to a location or an object. Maybe it is more akin to a tank or a moving fortress or a heavily armoured battleship or simply castles in the air, certainly CSOs (chief security officers) must have their heads in the cloud these days, worrying about the security of data, when that data is not at any one physical spot.
Cloud security: The latest thinking, a guide to implementing cloud securely
Cloud offers multiple benefits, including the ability to scale up and down quickly to meet demand. But some firms – especially in highly-regulated industries such as financial services – have been slow to adopt the technology due to concerns over cloud security. Kate O’Flaherty takes up the tale.
Data and security
“Data is our customer’s most important asset,” says Rajiv Gupta, Senior Vice President of the cloud security business at McAfee. He qualifies that description: “Data, whether it is stored, shared or created either on the device or in a service that is running in the cloud, is our customer’s most important asset.”
This is where CASB enters the story: “The cloud can be generic like AI, or you take a narrower look at cloud security or narrower still with CASB.”
There is a conflict within organisations — on the one hand you have developers. Their most important yardstick is usually time to market — their focus is agile. To a lesser extent, cost is an issue, although of course, rapid time to market can save an awful lot of cost, in the long run. For the developer, though, security is not the priority.
On the other hand, you have the chief security officer, the key measurement for the ladies and gentlemen, who fulfil this role, largely relates to the seriousness of breaches — their task is to minimise the number of breaches, and if they do occur, minimise their impact.
So that’s the different remit — it’s like there is a moat between developer and security professionals. Upon the drawbridge, overseeing the two conflicts is the CTO and CIO.
“But actually,” says Rajiv “the CSO does not want to be seen as a road block, does not want to be seen as the person in the way.”
CASB is one potential solution. It’s about making sure security requirements are met, both by cloud security partners and employees, while accessing cloud services. It’s technology for brokering this capability either across software as a service (SaaS) such as Office 365, Salesforce, Box or Slack or it’s infrastructure as a service, such as AWS, Azure or Google.
And there are two specific use cases of CASB:
- The first relates to sanctioning services. For example, maybe sanctioning say OneDrive, Box or Open Box, because the CSO knows they have appropriate security, but not say Zippyshare.
- The other relates to a shared responsibility between user and service provider concerning security of sanctioned products. So, for example, Microsoft has responsibility for ensuring their service — infrastructure, applications and servers — are secure. The user, however, is responsible for data sitting in the service. So, if an employee goes rogue, and downloads information from a OneDrive account and takes off with it, this is not Microsoft’s responsibility. Likewise, if an employee leaves a password so that it is publicly accessible and someone accesses their account, it is not Microsoft’s responsibility. So, the shared responsibility model means there is no scope for abdicating responsibility and blame to say Microsoft for your own internal errors.
That’s not a gulf, 1,935 cloud services is a world of difference with the 28-30 that CSOs believe to be the case.
CASB is a way to ensure that the policies on how data is secured are met consistently. So, it doesn’t matter where data is: you get consistent visibility with what has happened to your data, whether it is data sitting in a service like a LinkedIn or YouTube, or a sanctioned service such as OneDrive or such as SharePoint or Exchange, or data is sitting in a infrastructure service provider such as AWS.
Don’t build a maginot line of data security because without cyber security you are still vulnerable
The CSO surprise
How many cloud services does your organisation use? Ask a CSO that question and they will typically guess between 28 and 30. This is where the surprise comes in. In fact, McAfee’s own data, taken from their customer’s use of the cloud, finds that on average, an organisation uses 1,935 unique cloud services.
That’s not a gulf, 1,943 cloud services is a world of difference with the 28-30 that CSOs believe to be the case.
“Most CTOs look at that and say ‘that’s not possible. I couldn’t name that many services’. So, they react in horror, ‘this is a mess,’” says Rajiv.
How do they get it so wrong? “Some of the services that most CTOs don’t even know exist are being used implicitly — without anyone going to that site, so when employees are using the web, they don’t know what’s sitting in the background. For example: Google Analytics is used by many websites to give publishers of websites insight into what has happened, so there is data on employees shared on Google Analytics. Some organisations may not be aware of this.”
Rajiv gave a concrete example. In one case, employees were using a particular Chinese restaurant and looking at the menu to decide what to order. But the Chinese restaurant’s menu was hacked, so when downloading the menu these hungry employees were also downloading malware into the organisation.”
Sensitive data matters
But not all data is equal. Some data is sensitive, some data, such as marketing literature, is hardly confidential, the opposite in fact.
For the CSO, the number or services is not as important as knowing where the sensitive data is. So, for example, data related to intellectual property, process plans, employee data, customer data, or transactional data, is more interesting, the CSO needs to know where that is.
The 1935 services and the 90/10 rule
The 1935 is a big number, but drill down and you find that the spread of cloud services is more nuanced.
It turns out that of those 1935 services:
- 65% of all sensitive data is in SaaS or cloud services that have been sanctioned. The most popular of these is Office 365 which has 31% of sensitive data — so that’s collaboration and productivity. Salesforce (for customer relationship management) has about 15%.
- 25% sits in applications that developers have written, running in AWS or Azure or Google — typically more business transformation.
- And 10% of data sits in third party services, that the CSO may know about, or may have permitted because they don’t want to block it, such as YouTube or LinkedIn.
The balancing act of data mining ethics: The challenges of ethical data mining
Data handling ethics are a legal, political, and financial minefield. The balancing act between transparent and unethical data mining practices is providing a consistent challenge for modern enterprises.
The cheer leaders
“Microsoft, Amazon Salesforce etcetera spend many billions more on security than users of cloud services do. “As a result,” says Rajiv, “CSOs have become cheer leaders of cloud services adoption.”
“Data has always been the most important asset within an organisation, but when we had mainframes, the data was entombed in the mainframe and the only way to get access to it was via terminals. Then the PC came along.
“Then the data moved out from the mainframe to be processed within the PC. An industry emerged for protecting data on PCs, but all the same it was something you used at work, as it was too expensive for home use. So, you could protect the data by entombing the PC. Then came the internet. PCs were connected, employees could work remotely. So the security industry, with companies like McAfee, created network based controls by controlling what happens on the network. Now the data is already out. It is sitting in the cloud, employees are out, partners are not sitting by a firewall; they are not sitting by some network interception point. So, we have built up this walls and moat model; with the network being the central inspection and control point.
“Someone much wiser than me said: ‘the opposite of security is convenience.’The creators of CASB focused on both, security without sacrificing convenience.
“Security, applying CASB, becomes a key requirement to create, liberate, analyse and process my data, and to leverage the cloud,” says Rajiv
It’s as if the medieval baron, once refusing to move outside the castle, now actively encourages it, providing the lord and his troops keep to the well-guarded king’s highways.